In this India-U.S. Policy Memo, Ian Wallace explains the different approaches that India and the U.S. take on internet governance, what’s at stake in this debate, the choices that face the Modi government, and the internet governance-related meetings on the horizon.

The world is at a crucial moment for the future of the internet. Unfortunately, India and the United States both have Internet governance “problems.” The good news is that each may also have the answer to the other’s woes. For each other, and for the greater good, that is an opportunity that Prime Minister Modi and President Obama should take.

The United States has long been a staunch advocate of the current multistakeholder governance model, which includes mechanisms for private sector and civil society participants alongside governments in Internet decision making. Only such mechanisms, its supporters argue, have the flexibility and adaptability to ensure that the extraordinary growth of the Internet will continue along with the economic prosperity it has helped create.

By contrast, India has generally championed a multilateralist approach. That is the idea that only governments, working through international organizations like the United Nations, have the legitimacy to make decisions on such important transnational issues. There are actors in India, particularly in the highly successful technology industry that recognize the risk of imposing United Nations-style decision-making on a system as complicated and vital as the global internet. But Indian officials still tend to prefer their international cooperation to be state-based.

Just at the time when the multistakeholder model has needed U.S. leadership, the power of its advocacy has been (at least temporarily) undermined. Unfortunately for the U.S., while Edward Snowden’s revelations have actually had little to do with the practical issues at stake in Internet governance, they have undoubtedly exacerbated a widely-held concern about undue U.S. “control” over the internet. The facts hardly support the critics’ claims and, in fact, the Obama administration has recently announced its plans to give up its technical oversight of the management of internet addresses. But the taint of Snowden nevertheless continues to complicate the U.S. ability to talk internationally about Internet issues.

Meanwhile, India’s position also brings with it presentational challenges, not least the fact that despite being the world’s largest democracy, it finds itself in the same camp as authoritarian states such as China, Iran, and Russia, who are widely seen as favoring inter-governmental control as a vehicle for legitimizing national measures to control their citizens. More practically, it is not yet clear how Prime Minister Modi will reconcile his business-friendly electoral platform with an emphasis on internet-driven economic development, with the multilateralist preferences implied by India’s decision not to support the Statement of Principles agreed at the NETMundial Global Multistakeholder Meeting on the Future of Internet Governance in São Paulo in April. That meeting took place a month before the prime minister was elected, but now that those Principles form the basis of an ongoing process designed to agree to a way forward on Internet governance, how India positions itself will be crucial.

Prime Minister Modi is, however, a pragmatist. So while he may encounter resistance from within some in the Indian establishment, if the business/technology community is able to make its case, he may see the benefits of following in the footsteps of his BRICS colleague President Dilma Rousseff of Brazil. Despite initially arguing for multilateral governance in a speech to the U.N. General Assembly last September (in response to learning her own phone had been spied on), President Rousseff quickly and decisively revised her position. After discussions with global internet leaders and Brazil’s own private sector and internet experts, she shrewdly recognized that, in fact, Snowden had created an opening for her to redefine Brazil not only as a proud supporter of the multistakeholder approach but also as a more reliable champion of the global Internet than the U.S. While Americans might challenge the analysis, the overall outcome is good for everyone. For his own reasons, Prime Minister Modi could do a lot worse than aligning India with Brazil as a champion of a multistakeholder but not "U.S.-centric" Internet.

Quietly, President Obama would have good cause to be happy with that outcome. And if Prime Minister Modi is able and willing to position India squarely within the multistakeholder camp, then he and President Obama should waste no time in agreeing how to secure their common internet goals.

Not only is the NETMundial process underway, but there are other important internet related meetings on the horizon, including the International Telecommunication Union Plenipotentiary meeting in Busan, South Korea in late October/early November. There is a lot at stake and many governments still to be won over. Working together, along with Brazil and other long-standing supporters of the multistakeholder model, Indian and U.S. diplomacy could, and hopefully will, prove decisive.

Downloads

Authors

In this India-U.S. Policy Memo, Ian Wallace explains the different approaches that India and the U.S. take on internet governance, what’s at stake in this debate, the choices that face the Modi government, and the internet governance-related meetings on the horizon.

The world is at a crucial moment for the future of the internet. Unfortunately, India and the United States both have Internet governance “problems.” The good news is that each may also have the answer to the other’s woes. For each other, and for the greater good, that is an opportunity that Prime Minister Modi and President Obama should take.

The United States has long been a staunch advocate of the current multistakeholder governance model, which includes mechanisms for private sector and civil society participants alongside governments in Internet decision making. Only such mechanisms, its supporters argue, have the flexibility and adaptability to ensure that the extraordinary growth of the Internet will continue along with the economic prosperity it has helped create.

By contrast, India has generally championed a multilateralist approach. That is the idea that only governments, working through international organizations like the United Nations, have the legitimacy to make decisions on such important transnational issues. There are actors in India, particularly in the highly successful technology industry that recognize the risk of imposing United Nations-style decision-making on a system as complicated and vital as the global internet. But Indian officials still tend to prefer their international cooperation to be state-based.

Just at the time when the multistakeholder model has needed U.S. leadership, the power of its advocacy has been (at least temporarily) undermined. Unfortunately for the U.S., while Edward Snowden’s revelations have actually had little to do with the practical issues at stake in Internet governance, they have undoubtedly exacerbated a widely-held concern about undue U.S. “control” over the internet. The facts hardly support the critics’ claims and, in fact, the Obama administration has recently announced its plans to give up its technical oversight of the management of internet addresses. But the taint of Snowden nevertheless continues to complicate the U.S. ability to talk internationally about Internet issues.

Meanwhile, India’s position also brings with it presentational challenges, not least the fact that despite being the world’s largest democracy, it finds itself in the same camp as authoritarian states such as China, Iran, and Russia, who are widely seen as favoring inter-governmental control as a vehicle for legitimizing national measures to control their citizens. More practically, it is not yet clear how Prime Minister Modi will reconcile his business-friendly electoral platform with an emphasis on internet-driven economic development, with the multilateralist preferences implied by India’s decision not to support the Statement of Principles agreed at the NETMundial Global Multistakeholder Meeting on the Future of Internet Governance in São Paulo in April. That meeting took place a month before the prime minister was elected, but now that those Principles form the basis of an ongoing process designed to agree to a way forward on Internet governance, how India positions itself will be crucial.

Prime Minister Modi is, however, a pragmatist. So while he may encounter resistance from within some in the Indian establishment, if the business/technology community is able to make its case, he may see the benefits of following in the footsteps of his BRICS colleague President Dilma Rousseff of Brazil. Despite initially arguing for multilateral governance in a speech to the U.N. General Assembly last September (in response to learning her own phone had been spied on), President Rousseff quickly and decisively revised her position. After discussions with global internet leaders and Brazil’s own private sector and internet experts, she shrewdly recognized that, in fact, Snowden had created an opening for her to redefine Brazil not only as a proud supporter of the multistakeholder approach but also as a more reliable champion of the global Internet than the U.S. While Americans might challenge the analysis, the overall outcome is good for everyone. For his own reasons, Prime Minister Modi could do a lot worse than aligning India with Brazil as a champion of a multistakeholder but not "U.S.-centric" Internet.

Quietly, President Obama would have good cause to be happy with that outcome. And if Prime Minister Modi is able and willing to position India squarely within the multistakeholder camp, then he and President Obama should waste no time in agreeing how to secure their common internet goals.

Not only is the NETMundial process underway, but there are other important internet related meetings on the horizon, including the International Telecommunication Union Plenipotentiary meeting in Busan, South Korea in late October/early November. There is a lot at stake and many governments still to be won over. Working together, along with Brazil and other long-standing supporters of the multistakeholder model, Indian and U.S. diplomacy could, and hopefully will, prove decisive.

Downloads

Authors

]]>
http://www.brookings.edu/research/opinions/2014/06/30-cyber-strategies-guiding-priciples-wallace?rssid=wallacei{175BD1C6-553D-45DF-B13F-3BC341E9ECD1}http://webfeeds.brookings.edu/~/72321452/0/brookingsrss/experts/wallacei~Five-Guiding-Principles-for-the-Development-of-National-Cyber-StrategiesFive Guiding Principles for the Development of National Cyber Strategies

National cyber strategies are very much in vogue. The majority of European Union and NATO member states had their own national strategies, along with countries as diverse as Grenada and Pakistan. The message is clear that cybersecurity matters. If you want to be taken seriously on the world stage, let alone protect your increasingly networked economy and society, you need a national cyber strategy. But what does a national cyber strategy need to look like? Here are five principles that I believe should be central to any such endeavor:

Remember that a strategy is declaratory policy as well as a guide to action.While the primary purpose of a national cyber strategy is usually to ensure a coordinated national response to cyber threats, what your national cybersecurity strategy says, also says a great deal about your nation. Countries that see the principal threat being attacks on information systems will be seen very differently to countries that see the threat coming from the information itself.

Focus on continuity as well as change. New national coordination structures will likely be required to respond to the cyber challenge. But what is just as important will be to successfully adapt existing structures to the new challenges. Cyber crime is still crime, cyber espionage is still espionage, cyber warfighting is still warfighting. Preserving that philosophy will help keep the challenge in perspective and ensure, for example, that civilian/military roles and responsibilities are appropriately maintained.

Make your strategy genuinely ‘national’. National strategies are often about the role of government in cyber security, and that is not a bad thing. But effective cybersecurity is likely to be a private/public partnership, often with the private sector in the lead. Strategies that recognize this fact, and build on it (eg. through government use of both ‘carrots’ and ‘sticks’) are likely to be the most successful. Likewise, cyber is an international issue – foreign and development ministries have key roles to play too.

Make sure your strategy is credible. Resourcing is an important part of this, but so is what strategies fail to address. For example, the fact that few strategies mention the offensive cyber capabilities is – in my view - often self-defeating. A partial strategy is unlikely to be convincing. No one expects great detail but a failure to acknowledge such capabilities simply undermines confidence in the rest of the strategy. Indeed, using national strategies to set out unilateral limits on the use of such capabilities could be an important ‘norm’ setting device.

Accept that cybersecurity is with us forever, and plan accordingly. All strategy should be dynamic, but especially cyber strategy where not only are the adversaries perpetually evolving but so is the underlying technology. Part of this is to mitigate the likely consequences of inevitable future attacks. In fact, when we look back in history, we may well conclude that the most successful national strategies have been those that build nations’ resilience to cyber shocks. To date, however, such strategy sadly remains the exception rather than the rule.

National cyber strategies are very much in vogue. The majority of European Union and NATO member states had their own national strategies, along with countries as diverse as Grenada and Pakistan. The message is clear that cybersecurity matters. If you want to be taken seriously on the world stage, let alone protect your increasingly networked economy and society, you need a national cyber strategy. But what does a national cyber strategy need to look like? Here are five principles that I believe should be central to any such endeavor:

Remember that a strategy is declaratory policy as well as a guide to action.While the primary purpose of a national cyber strategy is usually to ensure a coordinated national response to cyber threats, what your national cybersecurity strategy says, also says a great deal about your nation. Countries that see the principal threat being attacks on information systems will be seen very differently to countries that see the threat coming from the information itself.

Focus on continuity as well as change. New national coordination structures will likely be required to respond to the cyber challenge. But what is just as important will be to successfully adapt existing structures to the new challenges. Cyber crime is still crime, cyber espionage is still espionage, cyber warfighting is still warfighting. Preserving that philosophy will help keep the challenge in perspective and ensure, for example, that civilian/military roles and responsibilities are appropriately maintained.

Make your strategy genuinely ‘national’. National strategies are often about the role of government in cyber security, and that is not a bad thing. But effective cybersecurity is likely to be a private/public partnership, often with the private sector in the lead. Strategies that recognize this fact, and build on it (eg. through government use of both ‘carrots’ and ‘sticks’) are likely to be the most successful. Likewise, cyber is an international issue – foreign and development ministries have key roles to play too.

Make sure your strategy is credible. Resourcing is an important part of this, but so is what strategies fail to address. For example, the fact that few strategies mention the offensive cyber capabilities is – in my view - often self-defeating. A partial strategy is unlikely to be convincing. No one expects great detail but a failure to acknowledge such capabilities simply undermines confidence in the rest of the strategy. Indeed, using national strategies to set out unilateral limits on the use of such capabilities could be an important ‘norm’ setting device.

Accept that cybersecurity is with us forever, and plan accordingly. All strategy should be dynamic, but especially cyber strategy where not only are the adversaries perpetually evolving but so is the underlying technology. Part of this is to mitigate the likely consequences of inevitable future attacks. In fact, when we look back in history, we may well conclude that the most successful national strategies have been those that build nations’ resilience to cyber shocks. To date, however, such strategy sadly remains the exception rather than the rule.

Authors

]]>
http://www.brookings.edu/events/2014/06/10-defense-department-information-technology-acquisition?rssid=wallacei{4CD3D8A4-14A7-4FD6-A50F-2BA08F1FFCE3}http://webfeeds.brookings.edu/~/66358713/0/brookingsrss/experts/wallacei~Moores-Law-Goes-To-War-How-Can-The-Department-Of-Defense-Keep-Pace-With-Changes-In-ITMoore's Law Goes To War: How Can The Department Of Defense Keep Pace With Changes In IT?

Event Information

Moore’s Law – the observation that computing power doubles roughly every two years – has not only transformed how people live but also how they fight. Revolutionary technologies, from social networks to smartphones, have changed the world. Such rapid change, however, challenges military acquisitions, which can take years or even decades to buy new systems. For the U.S. military, which has been reliant on its technological advantages to deter and defeat adversaries, this mismatch has major implications and presents a serious national security risk. But how can the Department of Defense (DOD) and Congress improve on current processes? Should Congress simply give DOD more budgetary and oversight flexibility? Or is legislation required to better incentivize smaller and more rapid acquisition programs? What can DOD do to make it easier for the most innovative companies to supply warfighters in the most cost efficient ways?

To address these and other approaches, the Center for 21st Century Security and Intelligence hosted a panel discussion with experts qualified to look across decades of acquisition reform and offer innovative ideas about the way forward. Panel members included Jacques Gansler, former undersecretary of defense for acquisition, technology and logistics; Tom Sisti, senior director and chief legislative counsel at SAP; Jon Etherton, senior fellow at the National Defense Industrial Association; and Lieutenant Colonel Dan Ward, author of F.I.R.E.: How Fast, Inexpensive, Restrained, and Elegant Methods Ignite Innovation.Brookings Visiting Fellow in Cybersecurity Ian Wallace moderated the discussion.

Event Information

Moore’s Law – the observation that computing power doubles roughly every two years – has not only transformed how people live but also how they fight. Revolutionary technologies, from social networks to smartphones, have changed the world. Such rapid change, however, challenges military acquisitions, which can take years or even decades to buy new systems. For the U.S. military, which has been reliant on its technological advantages to deter and defeat adversaries, this mismatch has major implications and presents a serious national security risk. But how can the Department of Defense (DOD) and Congress improve on current processes? Should Congress simply give DOD more budgetary and oversight flexibility? Or is legislation required to better incentivize smaller and more rapid acquisition programs? What can DOD do to make it easier for the most innovative companies to supply warfighters in the most cost efficient ways?

To address these and other approaches, the Center for 21st Century Security and Intelligence hosted a panel discussion with experts qualified to look across decades of acquisition reform and offer innovative ideas about the way forward. Panel members included Jacques Gansler, former undersecretary of defense for acquisition, technology and logistics; Tom Sisti, senior director and chief legislative counsel at SAP; Jon Etherton, senior fellow at the National Defense Industrial Association; and Lieutenant Colonel Dan Ward, author of F.I.R.E.: How Fast, Inexpensive, Restrained, and Elegant Methods Ignite Innovation.Brookings Visiting Fellow in Cybersecurity Ian Wallace moderated the discussion.

What do the crisis in Ukraine, the resignation of Target’s chief information officer, and the effect of Edward Snowden on European legislators all have in common? According to Brookings cybersecurity experts, they are all going to be central to the development of U.S. cybersecurity policy in the months ahead. That was the conclusion of a fantastic expert podcast recorded here at Brookings earlier this month.

The idea for this podcast came when Peter Singer, the director of Brookings’s Center for 21st Century Security and Intelligence (21CSI), and I were discussing our own thoughts on what is going to drive cybersecurity policy in the coming months. Why not widen the discussion to the rest of the cybersecurity team, and record it for everyone else’s benefit?

Peter, as the co-author of a new bestselling book on cybersecurity (Cybersecurity and Cyberwar: What Everybody Needs to Know), is himself a leading expert on this subject. But over the past year we have also expanded our in-house expertise by recruiting two internationally acknowledged leaders in cybersecurity – Richard Bejtlich and Ralph Langner – as nonresident fellows. They are rarely in same city, so while they were both here in Washington earlier this month, we jumped at the chance to get them around a table to ask them their views on current trends in the world of cybersecurity and what we are going to see in the coming months.

As you will hear, the results did not disappoint. Highlights include:

Ralph, who did much of the early forensic work that identified the true purpose of Stuxnet, explains that the real risk to critical infrastructure is not from hackers crashing SCADA systems, but from organized groups seizing control of them to do other damage;

Richard talks about the cybersecurity risk of the current crisis in Ukraine;

And a roundtable discussion about the complex challenges faced by the next CYBERCOM-NSA commander.

We enjoyed the podcast so much that we have decided to record one every few months. If you have particular questions and topics that you would like the team to discuss or guests who you would like to join us at the table, please let us know in the comments or by tweeting your thoughts to me (@pianwallace) or Peter (@peterwsinger). We want to hear from you on this important issue.

Audio

Authors

What do the crisis in Ukraine, the resignation of Target’s chief information officer, and the effect of Edward Snowden on European legislators all have in common? According to Brookings cybersecurity experts, they are all going to be central to the development of U.S. cybersecurity policy in the months ahead. That was the conclusion of a fantastic expert podcast recorded here at Brookings earlier this month.

The idea for this podcast came when Peter Singer, the director of Brookings’s Center for 21st Century Security and Intelligence (21CSI), and I were discussing our own thoughts on what is going to drive cybersecurity policy in the coming months. Why not widen the discussion to the rest of the cybersecurity team, and record it for everyone else’s benefit?

Peter, as the co-author of a new bestselling book on cybersecurity (Cybersecurity and Cyberwar: What Everybody Needs to Know), is himself a leading expert on this subject. But over the past year we have also expanded our in-house expertise by recruiting two internationally acknowledged leaders in cybersecurity – Richard Bejtlich and Ralph Langner – as nonresident fellows. They are rarely in same city, so while they were both here in Washington earlier this month, we jumped at the chance to get them around a table to ask them their views on current trends in the world of cybersecurity and what we are going to see in the coming months.

As you will hear, the results did not disappoint. Highlights include:

Ralph, who did much of the early forensic work that identified the true purpose of Stuxnet, explains that the real risk to critical infrastructure is not from hackers crashing SCADA systems, but from organized groups seizing control of them to do other damage;

Richard talks about the cybersecurity risk of the current crisis in Ukraine;

And a roundtable discussion about the complex challenges faced by the next CYBERCOM-NSA commander.

We enjoyed the podcast so much that we have decided to record one every few months. If you have particular questions and topics that you would like the team to discuss or guests who you would like to join us at the table, please let us know in the comments or by tweeting your thoughts to me (@pianwallace) or Peter (@peterwsinger). We want to hear from you on this important issue.

Event Information

President Obama’s Executive Order 13636 mandated the National Institute of Standards and Technology (NIST) to work with stakeholders to develop a comprehensive approach to mitigating cyber risk for critical infrastructure. Following an unprecedented year of stakeholder engagement, the final Cybersecurity Framework was published on February 12. This voluntary set of standards, guidelines and best practices is intended to reduce cyber risks and promote the protection of critical infrastructure. But how will the Framework look once it is put into practice by industry? And once it is, how does the government support the use of the Framework? And, crucially, will it improve national and economic security?

On February 19, the Center for 21st Century Security and Intelligence at Brookings hosted a panel discussion evaluating the NIST Framework. Panelists included Patrick D. Gallagher, the director of NIST; Cameron Kerry, a distinguished fellow with Governance Studies at Brookings and former acting secretary and general counsel of Commerce; and Dean Garfield, president and CEO of the Information Technology Industry Council. Ian Wallace, visiting fellow in cybersecurity at Brookings, moderated the discussion.

Event Information

President Obama’s Executive Order 13636 mandated the National Institute of Standards and Technology (NIST) to work with stakeholders to develop a comprehensive approach to mitigating cyber risk for critical infrastructure. Following an unprecedented year of stakeholder engagement, the final Cybersecurity Framework was published on February 12. This voluntary set of standards, guidelines and best practices is intended to reduce cyber risks and promote the protection of critical infrastructure. But how will the Framework look once it is put into practice by industry? And once it is, how does the government support the use of the Framework? And, crucially, will it improve national and economic security?

On February 19, the Center for 21st Century Security and Intelligence at Brookings hosted a panel discussion evaluating the NIST Framework. Panelists included Patrick D. Gallagher, the director of NIST; Cameron Kerry, a distinguished fellow with Governance Studies at Brookings and former acting secretary and general counsel of Commerce; and Dean Garfield, president and CEO of the Information Technology Industry Council. Ian Wallace, visiting fellow in cybersecurity at Brookings, moderated the discussion.

Downloads

Downloads

]]>
http://www.brookings.edu/research/papers/2014/01/secure-future-internet-singer-wallace?rssid=wallacei{E2849632-6AE8-4599-B858-93EF3E3A4AEB}http://webfeeds.brookings.edu/~/66358717/0/brookingsrss/experts/wallacei~Secure-the-Future-of-the-InternetSecure the Future of the Internet

President Obama should make it a personal priority to ensure an open and free-market Internet in 2014, write Peter W. Singer and Ian Wallace. Instead of waiting out the international blowback from Edward Snowden’s NSA revelations, the president needs to lead a new strategy against those governments who want to regulate the way the global Internet is run.

The next year will be a crucial one for the future of the Internet, a technology that has driven the most change and progress in our lifetimes. Between Edward Snowden’s revelations and the resulting blowback, and upcoming international talks on global “Internet governance,” this already complex domain is quickly rising as a major challenge to your administration. While many urge you and the United States to keep a low profile, our interests are better served by actively leading the global debate on the future of the Internet.

We recommend that Internet policy and strategy be elevated as a top priority for your administration under the clear direction of the White House. You should develop a strategic plan to identify and achieve key U.S. goals for the future of the Internet and its governance and to ensure that all parts of the U.S. government work to advance them. It also means doing a better job of involving and leveraging the U.S. private sector. This effort must include energizing international partners and even competitors—especially in key “swing” countries—to engage their own governments to prevent the balkanization of the Internet and handover of governance to bodies that would stifle the free flow of information and harm both global trade and political freedom.

To be utterly clear, the future of the Internet is about more than just responding to the NSA reform recommendations of the Review Group on Intelligence and Communications Technology—important though that will be for other reasons. It is a broader, strategic issue that you should take personal ownership of and put in place an empowered, inter-agency team led by a designated White House official to implement the strategic plan. This may even require a new position with dual status on the National Security Staff and National Economic Council. This also means asserting more proactive control of the covert activities that could undermine that strategy and deciding whether these operations are worth the risk, underscoring the commitment to balance intelligence benefit with greater national strategic goals.

You should establish a clear message that the events of last year have not changed our fundamental position on the future of the Internet and roll it out soon in a major speech overseas—ideally somewhere in the developing world, where much of the Internet’s growth is now taking place. This speech needs to acknowledge global concerns raised by various espionage efforts to monitor certain types of information. But it should also raise broader issues to remind people of the political and economic advantages of an Internet where information still flows openly, facilitated by the appropriate mix of government, industry and civil society participation in a complex web of governance mechanisms. That message should also make a clear distinction between America’s approach to the Internet and Internet freedom and that of many of our critics in authoritarian governments.

Background

There is a divide emerging in the international community between those countries who prefer an international legal framework that allows governments alone to regulate the international aspects of the Internet—for example, through the United Nations and specifically the International Telecommunications Union (ITU)—and those, such as the United States and our closest allies, who recognize that the extraordinary success of the Internet lies in its unique governance regime that blends private sector and civil society involvement alongside national governments, while minimizing the amount of formal control.

The way the Internet has developed to date benefits both U.S. and global citizens and consumers, but we must recognize that not every foreign government sees it that way. For many new democracies as well as authoritarian regimes it is seen as a foreign, destabilizing force. And, economically, while it has undoubtedly benefited U.S. companies, this has sometimes been at the expense of local state-backed telecoms companies. We are also seen by many to retain disproportionate formal control over many of the institutions that oversee the technical operation of the Internet (especially the Internet Corporation for Assigned Names and Numbers and the Internet Assigned Numbers Authority). In reality, the U.S. government exercises virtually no control through those mechanisms, but our critics argue that we want to retain the status quo in order to retain U.S. “hegemony” over the Internet. International perceptions about the activities of the NSA fuel that theme, but the status quo was becoming increasingly less tenable anyway.

During the coming year, there will be a series of meetings that will affect the future of the Internet and its governance, culminating in the International Telecommunication Union’s plenipotentiary meeting in South Korea that starts in October. The disclosures of the past year have complicated what was already proving a hard-sell in some parts of the world. In establishing our new strategy, it is important to appreciate these views. While no one really expects us to stop spying completely, we will have to come to terms with the fact that allegations about listening to the personal telephones of individual foreign leaders, or collecting vast amounts of metadata from allied countries, feed a narrative of overbearing U.S. cyber power. The more that people around the world buy in to that narrative, the harder our task becomes.

Despite the challenges, we and our allies cannot be missing in action in the coming global Internet debate. Almost all countries benefit from the advantages of global connectivity. For more developed countries, including those of the OECD, that is certainly the case. Meanwhile, we can count on authoritarian states such as Russia and China to prioritize international government control as they (probably rightly) see that as the arrangement least likely to challenge the legitimacy of their domestic policies.

Our problem is that, in losing the confidence of key swing states like Brazil on data privacy and surveillance, we risk also losing their support for our separate, although related, approach to Internet governance. That would be a massively retrograde step for U.S. interests.

Official Brazilian proposals for protecting its citizens from NSA spying (and a similar discussion beginning in India) therefore do not bode well for the United States. President Rousseff’s push for such policies is as much for domestic consumption as any foreign policy goal, and Brazilian moves away from the so-called “U.S.-centric Internet” will come more from pre-existing private sector initiatives than anything her own government can do. However, they are important because they bleed into separate debates about the role of states in Internet issues and wider governance issues, adding momentum to a more general global movement away from U.S. leadership at a time when we have begun to silence ourselves.

The globalization of Internet architecture is not a bad thing—it is just a natural reflection of the growth of the Internet around the world, as more and more non-Western users come online. But we should seek to guide how that transition happens and ensure it does not take the Internet and its users into a worse place. If a weakening of U.S. leadership also results in too much of a move away from the (largely liberal and free market) values that have dominated the development of the Internet to this point, that would be a bad thing—for the world, not just us. It could drive the “fragmentation” of the global Internet through the building of more and more barriers to the free flow of information. And, it could lead to a further weakening of the (already heavily contested) norm that states should limit their interference with the content that flows over the net.

That is why you need to act and act soon—for both shorter-term tactical and long-term strategic reasons. The short-term challenge is to give your officials the best possible negotiating position in the forthcoming round of Internet governance discussions. We believe that that would come from a clear signal that this is a personal priority for you.

More importantly, now is the time to better determine and shape our long-term goals. The sooner that we can articulate a clear, robust case for a U.S. vision for the future of the Internet, the better. And that needs to be one that, while acknowledging the natural shift away from U.S. control, makes both the pragmatic and principled arguments for preserving the values that have made the Internet such a successful driver of positive global economic, political and social change, and for governance structures that can be depended upon to maintain that success.

Conclusion

This is an important period for the future of global governance, the information economy and what the Internet means for how states relate to one another. This initiative should be an administration priority. If, however, we allow embarrassment from the Snowden revelations to prevent us from taking a proper leadership role, we will not only exacerbate the already considerable damage done to U.S. standing, but we will hand a gift to those who would diminish both U.S. and global democratic interests. You should act to better organize us to lead and set the tone quickly—both within the U.S. government and internationally—to ensure our arguments prevail in the forthcoming battle of online ideas.

Authors

President Obama should make it a personal priority to ensure an open and free-market Internet in 2014, write Peter W. Singer and Ian Wallace. Instead of waiting out the international blowback from Edward Snowden’s NSA revelations, the president needs to lead a new strategy against those governments who want to regulate the way the global Internet is run.

The next year will be a crucial one for the future of the Internet, a technology that has driven the most change and progress in our lifetimes. Between Edward Snowden’s revelations and the resulting blowback, and upcoming international talks on global “Internet governance,” this already complex domain is quickly rising as a major challenge to your administration. While many urge you and the United States to keep a low profile, our interests are better served by actively leading the global debate on the future of the Internet.

We recommend that Internet policy and strategy be elevated as a top priority for your administration under the clear direction of the White House. You should develop a strategic plan to identify and achieve key U.S. goals for the future of the Internet and its governance and to ensure that all parts of the U.S. government work to advance them. It also means doing a better job of involving and leveraging the U.S. private sector. This effort must include energizing international partners and even competitors—especially in key “swing” countries—to engage their own governments to prevent the balkanization of the Internet and handover of governance to bodies that would stifle the free flow of information and harm both global trade and political freedom.

To be utterly clear, the future of the Internet is about more than just responding to the NSA reform recommendations of the Review Group on Intelligence and Communications Technology—important though that will be for other reasons. It is a broader, strategic issue that you should take personal ownership of and put in place an empowered, inter-agency team led by a designated White House official to implement the strategic plan. This may even require a new position with dual status on the National Security Staff and National Economic Council. This also means asserting more proactive control of the covert activities that could undermine that strategy and deciding whether these operations are worth the risk, underscoring the commitment to balance intelligence benefit with greater national strategic goals.

You should establish a clear message that the events of last year have not changed our fundamental position on the future of the Internet and roll it out soon in a major speech overseas—ideally somewhere in the developing world, where much of the Internet’s growth is now taking place. This speech needs to acknowledge global concerns raised by various espionage efforts to monitor certain types of information. But it should also raise broader issues to remind people of the political and economic advantages of an Internet where information still flows openly, facilitated by the appropriate mix of government, industry and civil society participation in a complex web of governance mechanisms. That message should also make a clear distinction between America’s approach to the Internet and Internet freedom and that of many of our critics in authoritarian governments.

Background

There is a divide emerging in the international community between those countries who prefer an international legal framework that allows governments alone to regulate the international aspects of the Internet—for example, through the United Nations and specifically the International Telecommunications Union (ITU)—and those, such as the United States and our closest allies, who recognize that the extraordinary success of the Internet lies in its unique governance regime that blends private sector and civil society involvement alongside national governments, while minimizing the amount of formal control.

The way the Internet has developed to date benefits both U.S. and global citizens and consumers, but we must recognize that not every foreign government sees it that way. For many new democracies as well as authoritarian regimes it is seen as a foreign, destabilizing force. And, economically, while it has undoubtedly benefited U.S. companies, this has sometimes been at the expense of local state-backed telecoms companies. We are also seen by many to retain disproportionate formal control over many of the institutions that oversee the technical operation of the Internet (especially the Internet Corporation for Assigned Names and Numbers and the Internet Assigned Numbers Authority). In reality, the U.S. government exercises virtually no control through those mechanisms, but our critics argue that we want to retain the status quo in order to retain U.S. “hegemony” over the Internet. International perceptions about the activities of the NSA fuel that theme, but the status quo was becoming increasingly less tenable anyway.

During the coming year, there will be a series of meetings that will affect the future of the Internet and its governance, culminating in the International Telecommunication Union’s plenipotentiary meeting in South Korea that starts in October. The disclosures of the past year have complicated what was already proving a hard-sell in some parts of the world. In establishing our new strategy, it is important to appreciate these views. While no one really expects us to stop spying completely, we will have to come to terms with the fact that allegations about listening to the personal telephones of individual foreign leaders, or collecting vast amounts of metadata from allied countries, feed a narrative of overbearing U.S. cyber power. The more that people around the world buy in to that narrative, the harder our task becomes.

Despite the challenges, we and our allies cannot be missing in action in the coming global Internet debate. Almost all countries benefit from the advantages of global connectivity. For more developed countries, including those of the OECD, that is certainly the case. Meanwhile, we can count on authoritarian states such as Russia and China to prioritize international government control as they (probably rightly) see that as the arrangement least likely to challenge the legitimacy of their domestic policies.

Our problem is that, in losing the confidence of key swing states like Brazil on data privacy and surveillance, we risk also losing their support for our separate, although related, approach to Internet governance. That would be a massively retrograde step for U.S. interests.

Official Brazilian proposals for protecting its citizens from NSA spying (and a similar discussion beginning in India) therefore do not bode well for the United States. President Rousseff’s push for such policies is as much for domestic consumption as any foreign policy goal, and Brazilian moves away from the so-called “U.S.-centric Internet” will come more from pre-existing private sector initiatives than anything her own government can do. However, they are important because they bleed into separate debates about the role of states in Internet issues and wider governance issues, adding momentum to a more general global movement away from U.S. leadership at a time when we have begun to silence ourselves.

The globalization of Internet architecture is not a bad thing—it is just a natural reflection of the growth of the Internet around the world, as more and more non-Western users come online. But we should seek to guide how that transition happens and ensure it does not take the Internet and its users into a worse place. If a weakening of U.S. leadership also results in too much of a move away from the (largely liberal and free market) values that have dominated the development of the Internet to this point, that would be a bad thing—for the world, not just us. It could drive the “fragmentation” of the global Internet through the building of more and more barriers to the free flow of information. And, it could lead to a further weakening of the (already heavily contested) norm that states should limit their interference with the content that flows over the net.

That is why you need to act and act soon—for both shorter-term tactical and long-term strategic reasons. The short-term challenge is to give your officials the best possible negotiating position in the forthcoming round of Internet governance discussions. We believe that that would come from a clear signal that this is a personal priority for you.

More importantly, now is the time to better determine and shape our long-term goals. The sooner that we can articulate a clear, robust case for a U.S. vision for the future of the Internet, the better. And that needs to be one that, while acknowledging the natural shift away from U.S. control, makes both the pragmatic and principled arguments for preserving the values that have made the Internet such a successful driver of positive global economic, political and social change, and for governance structures that can be depended upon to maintain that success.

Conclusion

This is an important period for the future of global governance, the information economy and what the Internet means for how states relate to one another. This initiative should be an administration priority. If, however, we allow embarrassment from the Snowden revelations to prevent us from taking a proper leadership role, we will not only exacerbate the already considerable damage done to U.S. standing, but we will hand a gift to those who would diminish both U.S. and global democratic interests. You should act to better organize us to lead and set the tone quickly—both within the U.S. government and internationally—to ensure our arguments prevail in the forthcoming battle of online ideas.

Authors

]]>
http://www.brookings.edu/research/opinions/2013/12/16-military-role-national-cybersecurity-governance-wallace?rssid=wallacei{B9747232-4FC1-4BF2-B2A1-AFE86E39C5C0}http://webfeeds.brookings.edu/~/66358718/0/brookingsrss/experts/wallacei~The-Military-Role-in-National-Cybersecurity-GovernanceThe Military Role in National Cybersecurity Governance

Cybersecurity – A New Challenge for Governments

The emergence of sophisticated information systems has transformed the world. But it has also created a major new challenge for governments. Cyber threats do not fit easily into the traditional security framework that now exists in most modern states. Under that model, law enforcement has evolved to protect us from threats within our society, while militaries have evolved primarily to protect from external threats (accepting that the extent to which the military is involved in domestic affairs varies from state to state). However, cyber threats often come from overseas, making it difficult for law enforcement to deter or punish them. Yet, as argued below, such threats rarely rise to the level that would warrant a military response. New approaches are required, and none of them are straightforward. Yet, how governments respond to those challenges will have international as well as domestic implications. The appropriate role of the military is central to this.

Understanding The Threat

The first challenge is to understand the nature of the threat. This includes acknowledging that there is a major difference of perspective within the international community between those states that prefer to talk about “information security,” including protecting citizens from what they consider harmful content, and others states that focus on “cybersecurity,” a narrower subset of information security. That is the security of electronic systems that carry the information. This paper focuses on cybersecurity, which is of course relevant to all.

Appreciation of the fact that not all “cyberattacks” are similarly motivated is essential to thinking about how government might address those threats. Different scholars use different taxonomies to describe the range of threats, but I prefer to use one adapted from the work of King’s College, London’s Dr. Thomas Rid. This breaks down the threat to “espionage,” “subversion,” and “sabotage,” as well as “cybercrime” and – only in very limited circumstances – “cyberwar.” I do not completely accept Rid’s argument that cyber war “will not take place,” but in any case this way of thinking about the issue points to the undoubted fact that the vast majority of cybersecurity breaches fall below the threshold that in the physical world we would call an “act of war.” The difference between these categories can be minimal – once inside a system, the difference between espionage and sabotage can be as little as a few keystrokes – but the difference is important, both legally (as described in the recently published Tallinn Manual) and politically. In other words, a military response is often not the best, or even a legal, response to a cyberattack.

Use of the Military for Cybersecurity: Pros and Cons

This does not mean that cyber threats below the level of “war” should not be taken seriously. But it also raises the question of the appropriateness of using the military to address such threats as sabotage, subversion, and especially espionage and crime.

There are undoubted attractions to using the military in such a role. Most serious militaries have some cyber capability (or aspire to develop one), both to support the fighting on the battlefield and to defend their own systems during peacetime. Very often militaries provide nations’ national signal intelligence, and as such, the information that underpins the most sophisticated cyber operations. More generally, militaries are mission-oriented: they are often better resourced than other arms of government; and they are structured to develop the personnel required – all exactly what you would want for an effective cyber defense force.

Nevertheless, overuse of the military presents challenges, too, for at least two reasons. The first is the practical risk of creating a “crowding-out” effect. Cyber threats are not going away. On the contrary, they are proliferating at a dramatic rate, in part because we are making more and more use of information systems. For that reason, cybersecurity will need to be a discipline that everyone in a country takes seriously, not just something that citizens and private companies can expect to outsource to the military. Any country that depends too heavily on the military for cybersecurity will likely find itself reducing the incentives for the private sector to develop longer-term solutions.

Second, but of no less concern, is the risk of militarizing a major new aspect of domestic security, which in many countries would be considered a very bad thing. In order to achieve truly effective cybersecurity it is necessary to be permanently operating on the defended systems. Few private sector companies are likely to welcome such hands-on assistance from the military, not least because they may well feel that they are better placed to defend their own networks.

Alternatives

Central to the question of the role of the military in “defending the nation” against cyber threats is what else governments can do. Traditionally, the other institution that provides security is law enforcement. Police and other law enforcement agencies are often constrained by the laws under which they operate and the challenges of developing cases that lead to successful prosecutions. However, in recent years innovative agreements such as the European Council’s 2001 Convention on Cybercrime (now with 50 signatories across every continent) have made it harder for cyber criminals to avoid justice by basing themselves outside the country they are stealing from. Meanwhile, law enforcement like the U.S.’s Federal Bureau of Investigation are working with international colleagues and major companies like Microsoft to disrupt the very worst criminals (such as the takedown earlier this year of the Citadel network botnet used to steal over $500 million from bank accounts).

Another potential approach for the government is to support the private sector in providing its own security. This can be as simple as creating an appropriate incentives structure for information-sharing between companies or raising basic cybersecurity standards (sometimes through government regulation). This might also involve more practical help, like sharing secret intelligence with private sector companies, to improve their defenses and allow Internet Service Providers to screen out known malware.

It could also involve licensing the private sector to respond to intrusions themselves, so-called “hacking back.” Currently the law in many countries does not permit hacking-back and for good reason, namely the risk of inadvertently putting their own countries on an unwanted and escalatory path towards conflict. But such approaches have strong advocates and may gain traction in future. More positively, government might support the establishment of additional Computer Emergency Readiness Teams (CERTs) to coordinate incident response by the private sector.

Cyber National Security Threats Short of War

In practice, therefore, the appropriate level of military involvement needs to be informed by both the dangers to national security and the alternatives available (including the risk of misemploying the military). Each nation will face different considerations. The result, however, might look something like this:

The theft of information from government and defense contractors probably ranks as the most serious threats to national security, and as such, would almost certainly justify some government action. There are various possible motivations for such intrusions, including a commercial one, but they also represent a compromise of future military effectiveness (especially if the intruder is a potential adversary or is willing to give/sell their information to one).

The potential for a devastating attack critical on national infrastructure (including the finance, energy, transportation, communications and other economic sectors vital the life of a nation) is another grave concern, although arguably less immediate a threat than the theft of national security secrets. While the military might be expected to be ready to support a response to an attack, in most countries some proportion of critical infrastructure is in private hands making military approaches less practical or acceptable. This is an area where the government’s best approach might be use of economic incentives, including regulation to improve security levels.

Commercial espionage, either of intellectual property or sensitive business information, is another area where military approaches might not be appropriate. However, given the potential economic impact, especially when state-backed Advanced Persistent Threat techniques are used, this type of activity has the potential to significantly destablize international relationships. Governments could then resort to sanctions or, if under pressure, to licensed private responses.

Fourth, there is the threat of cybercrime. Although not a direct threat, it could develop into one if left unchecked because of the potential for terrorists or states to leverage criminal networks. This is generally not a role for the military but rather for law enforcement. Their challenge is deciding whether to disrupt the criminal or to seek prosecutions.

Cyber Issues for Governments to Consider

What this all means, of course, is that governments all over the world face major decisions about how they use their military in the course of building their national cybersecurity strategies. Considerations will need to include:

Given all the variables, how involved should the military be in national cybersecurity?

Given the factors in play, how should governments balance their cybersecurity investments across the military, law enforcement and the private sector?

How, if at all, should the military be used to support the private sector?

What can be done to facilitate international cooperation by non-military parts of the government?

How can diplomatic initiatives reduce the need for the military to be used in domestic cybersecurity?

How can government act to avoid international disputes over cyber issues (e.g. responses to Edward Snowden’s revelations about the activities of the U.S. National Security Agency) that undermine cooperation on cybersecurity?

Cybersecurity – A New Challenge for Governments

The emergence of sophisticated information systems has transformed the world. But it has also created a major new challenge for governments. Cyber threats do not fit easily into the traditional security framework that now exists in most modern states. Under that model, law enforcement has evolved to protect us from threats within our society, while militaries have evolved primarily to protect from external threats (accepting that the extent to which the military is involved in domestic affairs varies from state to state). However, cyber threats often come from overseas, making it difficult for law enforcement to deter or punish them. Yet, as argued below, such threats rarely rise to the level that would warrant a military response. New approaches are required, and none of them are straightforward. Yet, how governments respond to those challenges will have international as well as domestic implications. The appropriate role of the military is central to this.

Understanding The Threat

The first challenge is to understand the nature of the threat. This includes acknowledging that there is a major difference of perspective within the international community between those states that prefer to talk about “information security,” including protecting citizens from what they consider harmful content, and others states that focus on “cybersecurity,” a narrower subset of information security. That is the security of electronic systems that carry the information. This paper focuses on cybersecurity, which is of course relevant to all.

Appreciation of the fact that not all “cyberattacks” are similarly motivated is essential to thinking about how government might address those threats. Different scholars use different taxonomies to describe the range of threats, but I prefer to use one adapted from the work of King’s College, London’s Dr. Thomas Rid. This breaks down the threat to “espionage,” “subversion,” and “sabotage,” as well as “cybercrime” and – only in very limited circumstances – “cyberwar.” I do not completely accept Rid’s argument that cyber war “will not take place,” but in any case this way of thinking about the issue points to the undoubted fact that the vast majority of cybersecurity breaches fall below the threshold that in the physical world we would call an “act of war.” The difference between these categories can be minimal – once inside a system, the difference between espionage and sabotage can be as little as a few keystrokes – but the difference is important, both legally (as described in the recently published Tallinn Manual) and politically. In other words, a military response is often not the best, or even a legal, response to a cyberattack.

Use of the Military for Cybersecurity: Pros and Cons

This does not mean that cyber threats below the level of “war” should not be taken seriously. But it also raises the question of the appropriateness of using the military to address such threats as sabotage, subversion, and especially espionage and crime.

There are undoubted attractions to using the military in such a role. Most serious militaries have some cyber capability (or aspire to develop one), both to support the fighting on the battlefield and to defend their own systems during peacetime. Very often militaries provide nations’ national signal intelligence, and as such, the information that underpins the most sophisticated cyber operations. More generally, militaries are mission-oriented: they are often better resourced than other arms of government; and they are structured to develop the personnel required – all exactly what you would want for an effective cyber defense force.

Nevertheless, overuse of the military presents challenges, too, for at least two reasons. The first is the practical risk of creating a “crowding-out” effect. Cyber threats are not going away. On the contrary, they are proliferating at a dramatic rate, in part because we are making more and more use of information systems. For that reason, cybersecurity will need to be a discipline that everyone in a country takes seriously, not just something that citizens and private companies can expect to outsource to the military. Any country that depends too heavily on the military for cybersecurity will likely find itself reducing the incentives for the private sector to develop longer-term solutions.

Second, but of no less concern, is the risk of militarizing a major new aspect of domestic security, which in many countries would be considered a very bad thing. In order to achieve truly effective cybersecurity it is necessary to be permanently operating on the defended systems. Few private sector companies are likely to welcome such hands-on assistance from the military, not least because they may well feel that they are better placed to defend their own networks.

Alternatives

Central to the question of the role of the military in “defending the nation” against cyber threats is what else governments can do. Traditionally, the other institution that provides security is law enforcement. Police and other law enforcement agencies are often constrained by the laws under which they operate and the challenges of developing cases that lead to successful prosecutions. However, in recent years innovative agreements such as the European Council’s 2001 Convention on Cybercrime (now with 50 signatories across every continent) have made it harder for cyber criminals to avoid justice by basing themselves outside the country they are stealing from. Meanwhile, law enforcement like the U.S.’s Federal Bureau of Investigation are working with international colleagues and major companies like Microsoft to disrupt the very worst criminals (such as the takedown earlier this year of the Citadel network botnet used to steal over $500 million from bank accounts).

Another potential approach for the government is to support the private sector in providing its own security. This can be as simple as creating an appropriate incentives structure for information-sharing between companies or raising basic cybersecurity standards (sometimes through government regulation). This might also involve more practical help, like sharing secret intelligence with private sector companies, to improve their defenses and allow Internet Service Providers to screen out known malware.

It could also involve licensing the private sector to respond to intrusions themselves, so-called “hacking back.” Currently the law in many countries does not permit hacking-back and for good reason, namely the risk of inadvertently putting their own countries on an unwanted and escalatory path towards conflict. But such approaches have strong advocates and may gain traction in future. More positively, government might support the establishment of additional Computer Emergency Readiness Teams (CERTs) to coordinate incident response by the private sector.

Cyber National Security Threats Short of War

In practice, therefore, the appropriate level of military involvement needs to be informed by both the dangers to national security and the alternatives available (including the risk of misemploying the military). Each nation will face different considerations. The result, however, might look something like this:

The theft of information from government and defense contractors probably ranks as the most serious threats to national security, and as such, would almost certainly justify some government action. There are various possible motivations for such intrusions, including a commercial one, but they also represent a compromise of future military effectiveness (especially if the intruder is a potential adversary or is willing to give/sell their information to one).

The potential for a devastating attack critical on national infrastructure (including the finance, energy, transportation, communications and other economic sectors vital the life of a nation) is another grave concern, although arguably less immediate a threat than the theft of national security secrets. While the military might be expected to be ready to support a response to an attack, in most countries some proportion of critical infrastructure is in private hands making military approaches less practical or acceptable. This is an area where the government’s best approach might be use of economic incentives, including regulation to improve security levels.

Commercial espionage, either of intellectual property or sensitive business information, is another area where military approaches might not be appropriate. However, given the potential economic impact, especially when state-backed Advanced Persistent Threat techniques are used, this type of activity has the potential to significantly destablize international relationships. Governments could then resort to sanctions or, if under pressure, to licensed private responses.

Fourth, there is the threat of cybercrime. Although not a direct threat, it could develop into one if left unchecked because of the potential for terrorists or states to leverage criminal networks. This is generally not a role for the military but rather for law enforcement. Their challenge is deciding whether to disrupt the criminal or to seek prosecutions.

Cyber Issues for Governments to Consider

What this all means, of course, is that governments all over the world face major decisions about how they use their military in the course of building their national cybersecurity strategies. Considerations will need to include:

Given all the variables, how involved should the military be in national cybersecurity?

Given the factors in play, how should governments balance their cybersecurity investments across the military, law enforcement and the private sector?

How, if at all, should the military be used to support the private sector?

What can be done to facilitate international cooperation by non-military parts of the government?

How can diplomatic initiatives reduce the need for the military to be used in domestic cybersecurity?

How can government act to avoid international disputes over cyber issues (e.g. responses to Edward Snowden’s revelations about the activities of the U.S. National Security Agency) that undermine cooperation on cybersecurity?

Event Information

On November 19, the Center for 21st Century Security and Intelligence at Brookings hosted a panel discussion on the 2014 national cybersecurity agenda. Since the publication of Executive Order 13636 and Presidential Policy Directive 21, both aimed at improving the security and resilience of U.S. critical infrastructure, including managing the risks posed by cyberattacks, the main focus on public attention has been on the development of the voluntary Cybersecurity Framework. After the National Institute of Standards and Technology’s recent release of the Preliminary Cybersecurity Framework for comment, attention is shifting to what it will mean and how the wider agenda will move forward. Simply, what does success look like, and what has to happen next to get there?

The expert panel represented the key stakeholders in the development of a national strategy for cyberspace. Acting Under Secretary for National Protection and Programs Suzanne Spaulding spearheads the Department of Homeland Security’s mission to reduce risk to and enhance the resiliency of critical infrastructure; Richard Bejtlich, chief security officer at Mandiant, has more than 15 years of experience in enterprise level intrusion detection and incident response; Allan Friedman, fellow in the Brookings Institution’s Center for Technology Innovation, is an expert on the economics of cybersecurity.

Event Information

On November 19, the Center for 21st Century Security and Intelligence at Brookings hosted a panel discussion on the 2014 national cybersecurity agenda. Since the publication of Executive Order 13636 and Presidential Policy Directive 21, both aimed at improving the security and resilience of U.S. critical infrastructure, including managing the risks posed by cyberattacks, the main focus on public attention has been on the development of the voluntary Cybersecurity Framework. After the National Institute of Standards and Technology’s recent release of the Preliminary Cybersecurity Framework for comment, attention is shifting to what it will mean and how the wider agenda will move forward. Simply, what does success look like, and what has to happen next to get there?

The expert panel represented the key stakeholders in the development of a national strategy for cyberspace. Acting Under Secretary for National Protection and Programs Suzanne Spaulding spearheads the Department of Homeland Security’s mission to reduce risk to and enhance the resiliency of critical infrastructure; Richard Bejtlich, chief security officer at Mandiant, has more than 15 years of experience in enterprise level intrusion detection and incident response; Allan Friedman, fellow in the Brookings Institution’s Center for Technology Innovation, is an expert on the economics of cybersecurity.

Audio

Transcript

Event Materials

]]>
http://www.brookings.edu/research/opinions/2013/10/21-cyber-security-why-military-forces-should-take-a-back-seat-wallace?rssid=wallacei{C1821554-BD18-4704-A158-D71152F30125}http://webfeeds.brookings.edu/~/66358720/0/brookingsrss/experts/wallacei~Cyber-Security-Why-Military-Forces-Should-Take-a-Back-SeatCyber Security: Why Military Forces Should Take a Back Seat

Editor’s Note: In an October, 21 2013 op-ed for The Interpreter, Ian Wallace explains why the “cyberwar” analogy is misapplied. He argues that “cyberwar” language diminishes civilian responsibility, increases complacency, reduces focus on sustainable defense, and can lead to needlessly aggressive doctrine, concluding that fixation on “cyberwar” desensitizes us to the real cybersecurity challenges at hand.

This is more than a semantic discussion. Unless you understand the nature of the threat, it is difficult to respond adequately. And while Tony is right to say that governments are beginning to respond to the challenge, few have yet done so effectively. That's why use of the term ‘cyberwar’ is potentially so consequential. A major part of the difficulty is that, intentionally or not, ‘cyberwar’ tends to imply a military response to threats. I do not think that is sensible.

Before explaining why, however, I should recognise that a large part of the reason for the persistence of the ‘war’ analogy is the absence of good alternatives.

Authors

Editor’s Note: In an October, 21 2013 op-ed for The Interpreter, Ian Wallace explains why the “cyberwar” analogy is misapplied. He argues that “cyberwar” language diminishes civilian responsibility, increases complacency, reduces focus on sustainable defense, and can lead to needlessly aggressive doctrine, concluding that fixation on “cyberwar” desensitizes us to the real cybersecurity challenges at hand.

This is more than a semantic discussion. Unless you understand the nature of the threat, it is difficult to respond adequately. And while Tony is right to say that governments are beginning to respond to the challenge, few have yet done so effectively. That's why use of the term ‘cyberwar’ is potentially so consequential. A major part of the difficulty is that, intentionally or not, ‘cyberwar’ tends to imply a military response to threats. I do not think that is sensible.

Before explaining why, however, I should recognise that a large part of the reason for the persistence of the ‘war’ analogy is the absence of good alternatives.

Authors

]]>
http://www.brookings.edu/research/opinions/2013/09/27-is-there-such-a-thing-as-cyberwar-wallace?rssid=wallacei{899E621E-BD85-4611-B5D2-BFA9551EEBAF}http://webfeeds.brookings.edu/~/66358721/0/brookingsrss/experts/wallacei~Is-There-Such-a-Thing-as-CyberwarIs There Such a Thing as Cyberwar?

Editor’s Note: In a September 27, 2013 op-ed for The Interpreter, Ian Wallace asks “what is the definition of cyberwar?” While cyber represents a disruptive technology and a potential new battlespace, he argues that it is not appropriate to describe current cyber activities as “war.” War is temporary and objective-oriented, but cyber is a permanent space without clearly delineated goals.

Darragh Murray may be surprised to learn that I share several of the concerns he lays out in his riposte to my piece on the potential for greater cooperation between the ‘Five Eyes’ in the realm of military cyber operations. It might be helpful to clarify a few misunderstandings, as well as addressing Darragh's questions.

First, just to be clear, I do not believe we are currently in a ‘cyberwar’. In fact, quite the opposite. As I have written previously, I believe such talk is dangerous.

Equally, I agree that we need to be careful about falsely applying the term ‘war’ to what happens in cyberspace. One of the most interesting writers on this subject is King’s College, London’s Thomas Rid, the author of a new book called Cyber War Will Not Take Place. As Rid set out at a recent event at the Brookings Institution, his main target is on the notion of ‘cyberwar’ as something set apart from more general war.

Authors

Editor’s Note: In a September 27, 2013 op-ed for The Interpreter, Ian Wallace asks “what is the definition of cyberwar?” While cyber represents a disruptive technology and a potential new battlespace, he argues that it is not appropriate to describe current cyber activities as “war.” War is temporary and objective-oriented, but cyber is a permanent space without clearly delineated goals.

Darragh Murray may be surprised to learn that I share several of the concerns he lays out in his riposte to my piece on the potential for greater cooperation between the ‘Five Eyes’ in the realm of military cyber operations. It might be helpful to clarify a few misunderstandings, as well as addressing Darragh's questions.

First, just to be clear, I do not believe we are currently in a ‘cyberwar’. In fact, quite the opposite. As I have written previously, I believe such talk is dangerous.

Equally, I agree that we need to be careful about falsely applying the term ‘war’ to what happens in cyberspace. One of the most interesting writers on this subject is King’s College, London’s Thomas Rid, the author of a new book called Cyber War Will Not Take Place. As Rid set out at a recent event at the Brookings Institution, his main target is on the notion of ‘cyberwar’ as something set apart from more general war.

Authors

]]>
http://www.brookings.edu/research/opinions/2013/09/24-cyberwar-leveraging-old-ties-for-new-threats-wallace?rssid=wallacei{0119A51C-28D8-4BF6-8E06-42DC55FB6F4D}http://webfeeds.brookings.edu/~/66358722/0/brookingsrss/experts/wallacei~Cyberwar-Leveraging-Old-Ties-for-New-ThreatsCyberwar: Leveraging Old Ties for New Threats

Editor's Note: In a September 24, 2013 op-ed for The Interpreter, Ian Wallace writes that the U.S. must do more to promote cyber cooperation through existing treaty arrangements, particularly with the United Kingdom, Australia, Canada, and New Zealand. He argues that cooperation with allies will accelerate the integration of cyber into conventional military doctrine as well as pioneer a new alliance framework for the age of cyberwar.

When former US Homeland Security Secretary Janet Napolitano hosted her ‘Five Eyes’ counterparts at the US Naval Postgraduate School in Monterey, California in July, it is not surprising that cybersecurity was on the agenda. These days, what self-respecting international security gathering would be without a cyber discussion?

But this also raises the question of why we do not see more such gatherings on cyber issues. Why are our defence ministers not jumping on the next plane to Monterey, or wherever else, to discuss military cyber cooperation?

The Five Eyes format is particularly well suited to cyber discussions. The great Catch-22 of cyber-related diplomacy is that while everyone acknowledges the importance of international cooperation, there is rarely sufficient trust between countries to enable a meaningful discussion. What could be a better format, therefore, than a partnership between the US, UK, Canada, Australia and New Zealand formed specifically to share signals intelligence?

Authors

Editor's Note: In a September 24, 2013 op-ed for The Interpreter, Ian Wallace writes that the U.S. must do more to promote cyber cooperation through existing treaty arrangements, particularly with the United Kingdom, Australia, Canada, and New Zealand. He argues that cooperation with allies will accelerate the integration of cyber into conventional military doctrine as well as pioneer a new alliance framework for the age of cyberwar.

When former US Homeland Security Secretary Janet Napolitano hosted her ‘Five Eyes’ counterparts at the US Naval Postgraduate School in Monterey, California in July, it is not surprising that cybersecurity was on the agenda. These days, what self-respecting international security gathering would be without a cyber discussion?

But this also raises the question of why we do not see more such gatherings on cyber issues. Why are our defence ministers not jumping on the next plane to Monterey, or wherever else, to discuss military cyber cooperation?

The Five Eyes format is particularly well suited to cyber discussions. The great Catch-22 of cyber-related diplomacy is that while everyone acknowledges the importance of international cooperation, there is rarely sufficient trust between countries to enable a meaningful discussion. What could be a better format, therefore, than a partnership between the US, UK, Canada, Australia and New Zealand formed specifically to share signals intelligence?

Authors

]]>
http://www.brookings.edu/events/2013/09/11-trident-british-nuclear-forces?rssid=wallacei{86B0814D-40BC-4E58-AA50-E2FD445CE4CA}http://webfeeds.brookings.edu/~/66358724/0/brookingsrss/experts/wallacei~Trident-Alternatives-What-Next-for-British-Nuclear-ForcesTrident Alternatives: What Next for British Nuclear Forces?

Event Information

For 20 years, the British nuclear deterrent has rested on Trident nuclear-armed missiles carried by four Royal Navy Vanguard-class ballistic missile submarines, at least one of which is continuously at sea. The British government is now considering how to maintain a nuclear deterrent after the Vanguard submarines are retired. This summer, the UK concluded a study looking at a range of alternatives, including options other than Trident missiles and options that would no longer maintain a continuous at-sea deterrent presence.

On September 11, the Arms Control Initiative at Brookings hosted a talk by Danny Alexander, chief secretary to Her Majesty’s Treasury, on the study and how Britain should adjust its future nuclear posture to take account of new financial realities. Franklin Miller of the Scowcroft Group offered commentary, and Brookings Visiting Fellow Ian Wallace moderated a discussion with questions from the audience.

Event Information

For 20 years, the British nuclear deterrent has rested on Trident nuclear-armed missiles carried by four Royal Navy Vanguard-class ballistic missile submarines, at least one of which is continuously at sea. The British government is now considering how to maintain a nuclear deterrent after the Vanguard submarines are retired. This summer, the UK concluded a study looking at a range of alternatives, including options other than Trident missiles and options that would no longer maintain a continuous at-sea deterrent presence.

On September 11, the Arms Control Initiative at Brookings hosted a talk by Danny Alexander, chief secretary to Her Majesty’s Treasury, on the study and how Britain should adjust its future nuclear posture to take account of new financial realities. Franklin Miller of the Scowcroft Group offered commentary, and Brookings Visiting Fellow Ian Wallace moderated a discussion with questions from the audience.

Audio

Transcript

Event Materials

]]>
http://www.brookings.edu/events/2013/09/09-cyber-war-will-not-take-place?rssid=wallacei{AE721D3D-D41B-4E11-83E3-D6B79CD9DAAD}http://webfeeds.brookings.edu/~/66358725/0/brookingsrss/experts/wallacei~Cyber-War-Will-Not-Take-Place-Or-Will-ItCyber War Will Not Take Place, Or Will It?

Event Information

For over two decades, cyber experts, politicians, and military leaders have worried about war in the cyber domain, a campaign of destruction wrought via the globe’s networked information technology, infrastructure, and economy. Despite these concerns, however, cyber war has yet to occur, and the concept itself may be distracting from other nefarious online activity.

On September 9, the Center for 21st Century Security and Intelligence hosted Thomas Rid, reader in war studies at King’s College London, for the U.S. launch of his new book Cyber War Will Not Take Place, in which he argues that cyber espionage, sabotage, and subversion are the threats that countries really face. He was joined by an expert panel, including Visiting Fellow in cybersecurity Ian Wallace, and Jason Healey, director of the Cyber Statecraft Initiative at the Atlantic Council. They discussed the implications of cyber war and cyber weapons for national security and consider what cyber capabilities will mean for the future of conflict: What is the true military utility of cyber? Is the advantage really with the offense? Could the existence of cyber capabilities actually reduce the use of violence by states and non-state groups? What is at stake if we get the answers to these questions wrong?

Peter W. Singer, director of the Center for 21st Century Security and Intelligence at Brookings, moderated the session.

Event Information

For over two decades, cyber experts, politicians, and military leaders have worried about war in the cyber domain, a campaign of destruction wrought via the globe’s networked information technology, infrastructure, and economy. Despite these concerns, however, cyber war has yet to occur, and the concept itself may be distracting from other nefarious online activity.

On September 9, the Center for 21st Century Security and Intelligence hosted Thomas Rid, reader in war studies at King’s College London, for the U.S. launch of his new book Cyber War Will Not Take Place, in which he argues that cyber espionage, sabotage, and subversion are the threats that countries really face. He was joined by an expert panel, including Visiting Fellow in cybersecurity Ian Wallace, and Jason Healey, director of the Cyber Statecraft Initiative at the Atlantic Council. They discussed the implications of cyber war and cyber weapons for national security and consider what cyber capabilities will mean for the future of conflict: What is the true military utility of cyber? Is the advantage really with the offense? Could the existence of cyber capabilities actually reduce the use of violence by states and non-state groups? What is at stake if we get the answers to these questions wrong?

Peter W. Singer, director of the Center for 21st Century Security and Intelligence at Brookings, moderated the session.

Following a recent speech, Chairman of the Joint Chiefs of Staff General Martin Dempsey dismissed concerns about the U.S. militarization of cyberspace. “We have a Navy, but we are not being accused of militarizing the ocean,” he said. As the world reflects on and responds to the actions of former National Security Agency contractor Edward Snowden, and as the investigation of possible leaks by former Joint Chiefs vice chairman General James Cartwright unfolds, it is difficult to avoid wondering if General Dempsey’s answer is the best the administration can muster. An increasing number of adversaries and even allies are coming to believe that the United States is militarizing cyberspace—and that impression of hubris and irresponsibility is beginning to have a real-world impact.

So what needs to be done? New thinking is required, in at least three ways: First, the administration needs to acknowledge that this is a problem. Second, a more holistic approach is required when making national-security decisions that affect the internet. Third, the government needs to learn to respond to these types of leaks in a way that does not make the situation worse.

Authors

Following a recent speech, Chairman of the Joint Chiefs of Staff General Martin Dempsey dismissed concerns about the U.S. militarization of cyberspace. “We have a Navy, but we are not being accused of militarizing the ocean,” he said. As the world reflects on and responds to the actions of former National Security Agency contractor Edward Snowden, and as the investigation of possible leaks by former Joint Chiefs vice chairman General James Cartwright unfolds, it is difficult to avoid wondering if General Dempsey’s answer is the best the administration can muster. An increasing number of adversaries and even allies are coming to believe that the United States is militarizing cyberspace—and that impression of hubris and irresponsibility is beginning to have a real-world impact.

So what needs to be done? New thinking is required, in at least three ways: First, the administration needs to acknowledge that this is a problem. Second, a more holistic approach is required when making national-security decisions that affect the internet. Third, the government needs to learn to respond to these types of leaks in a way that does not make the situation worse.

Authors

]]>
http://www.brookings.edu/research/opinions/2013/07/17-recalibrating-risks-rewards-cyber-operations-singer-wallace?rssid=wallacei{5BA77E26-5E5F-4B53-9CEC-49F815138D61}http://webfeeds.brookings.edu/~/66358727/0/brookingsrss/experts/wallacei~Recalibrating-the-Risks-and-Rewards-of-Cyber-OperationsRecalibrating the Risks and Rewards of Cyber Operations

The national security establishment is outraged about a spate of intelligence leaks and the impact they are viewed as having on our national security.

When Edward Snowden, a Booz Allen contractor at the National Security Agency, leaked details of programs to collect telephone metadata and (under a program called PRISM) mass Internet data, Director of National Intelligence James Clapper said the leaks had caused “long-lasting and irreversible damage to U.S. national security.”

These leaks were then followed by NBC’s reports that former Vice Chairman of the Joint Chiefs of Staff Gen. James Cartwright is under investigation for alleged leaks about the so-called Operation Olympic Games, in which a computer worm famously known as Stuxnet was used to attack the Iranian uranium enrichment program. Jane Harman, former Democratic congresswoman and House Intelligence Committee chairwoman, now CEO of the Wilson Center, said, "I think [the leak] had devastating consequences.”

Authors

The national security establishment is outraged about a spate of intelligence leaks and the impact they are viewed as having on our national security.

When Edward Snowden, a Booz Allen contractor at the National Security Agency, leaked details of programs to collect telephone metadata and (under a program called PRISM) mass Internet data, Director of National Intelligence James Clapper said the leaks had caused “long-lasting and irreversible damage to U.S. national security.”

These leaks were then followed by NBC’s reports that former Vice Chairman of the Joint Chiefs of Staff Gen. James Cartwright is under investigation for alleged leaks about the so-called Operation Olympic Games, in which a computer worm famously known as Stuxnet was used to attack the Iranian uranium enrichment program. Jane Harman, former Democratic congresswoman and House Intelligence Committee chairwoman, now CEO of the Wilson Center, said, "I think [the leak] had devastating consequences.”

Authors

]]>
http://www.brookings.edu/blogs/up-front/posts/2013/06/04-top-five-issues-us-china-obama-xi?rssid=wallacei{B25AF18D-0270-4400-AC7B-03B6172882E9}http://webfeeds.brookings.edu/~/66358728/0/brookingsrss/experts/wallacei~Top-Five-Issues-President-Obama-and-Chinese-President-Xi-Jinping-Should-DiscussTop Five Issues President Obama and Chinese President Xi Jinping Should Discuss

President Barack Obama and Chinese President Xi Jinping will meet in California later this week, where they are scheduled to hold in-depth meetings on a wide range of issues in the U.S.-China relationship. Brookings experts identify the top five topics the two leaders should discuss: cybersecurity, North Korea, China's foreign investment, China's new government and East and South China Seas dispute.

1. Cybersecurity

All countries engage in some form of spying, but China’s cyber-spying on American industries is especially threatening. If China refuses to curtail the practice, Ian Wallace explains, the U.S.-Sino relationship could be profoundly undermined.

Cyber-security: Putting China on Notice

2. North Korea

North Korea’s brinksmanship is disturbing to the region and problematic for the Chinese government, which is often asked to calm the country down. China agrees that North Korea needs to change, notes Jonathan Pollack, director of the China Center at Brookings.

North Korea: China's Problem

3. China's Foreign Investment

China’s foreign investment is staggering and continues to grow. China’s dollars also buy political influence around the world and could even hinder U.S. industrial growth. It may be unsettling but there’s little the U.S. can do. Eswar Prasad has the details.

China's Foreign Investment: Purse Strings and Political Power

4. China's New Government

The tension between the U.S. and China is largely fueled by their respective desire to reach the same goal: they both want to be the world’s preeminent power; but Cheng Li says this isn’t as ominous as it sounds.

The U.S. and China: Mutual Respect, Mutual Fear

5. East and South China Seas Dispute

Maritime rights have been a long-festering problem affecting several countries in the East Asian region. It’s an issue that can destabilize the neighborhood or the world and could possibly lead to war as Richard Bush, director of the Center for Northeast Asian Policy Studies, explains.

President Barack Obama and Chinese President Xi Jinping will meet in California later this week, where they are scheduled to hold in-depth meetings on a wide range of issues in the U.S.-China relationship. Brookings experts identify the top five topics the two leaders should discuss: cybersecurity, North Korea, China's foreign investment, China's new government and East and South China Seas dispute.

1. Cybersecurity

All countries engage in some form of spying, but China’s cyber-spying on American industries is especially threatening. If China refuses to curtail the practice, Ian Wallace explains, the U.S.-Sino relationship could be profoundly undermined.

Cyber-security: Putting China on Notice

2. North Korea

North Korea’s brinksmanship is disturbing to the region and problematic for the Chinese government, which is often asked to calm the country down. China agrees that North Korea needs to change, notes Jonathan Pollack, director of the China Center at Brookings.

North Korea: China's Problem

3. China's Foreign Investment

China’s foreign investment is staggering and continues to grow. China’s dollars also buy political influence around the world and could even hinder U.S. industrial growth. It may be unsettling but there’s little the U.S. can do. Eswar Prasad has the details.

China's Foreign Investment: Purse Strings and Political Power

4. China's New Government

The tension between the U.S. and China is largely fueled by their respective desire to reach the same goal: they both want to be the world’s preeminent power; but Cheng Li says this isn’t as ominous as it sounds.

The U.S. and China: Mutual Respect, Mutual Fear

5. East and South China Seas Dispute

Maritime rights have been a long-festering problem affecting several countries in the East Asian region. It’s an issue that can destabilize the neighborhood or the world and could possibly lead to war as Richard Bush, director of the Center for Northeast Asian Policy Studies, explains.

Authors

]]>
http://www.brookings.edu/about/media-relations/news-releases/2013/0312-security-intelligence?rssid=wallacei{DA5BC8ED-2852-4D18-8471-C07A869CBA85}http://webfeeds.brookings.edu/~/66358729/0/brookingsrss/experts/wallacei~Brookings-Launches-the-Center-for-st-Century-Security-and-Intelligence-CSIBrookings Launches the Center for 21st Century Security and Intelligence (21CSI)

Washington, D.C. — The Brookings Institution announced today the establishment of the Center for 21st Century Security and Intelligence (21CSI). The new center will be unique in addressing defense, cybersecurity, arms control and intelligence challenges in a comprehensive manner, seeking not just to explore key emerging security issues, but also how they cross traditional fields and domains.

“With the launch of the Center for 21st Century Security and Intelligence, Brookings will be at the forefront of research and public debate on the critical security issues of our time,” said Strobe Talbott, president of the Brookings Institution. "21CSI will bring together the extraordinary array of scholars already working on defense and security issues at Brookings, along with adding new experts in fields that range from cyber to intelligence policy."

The Center for 21st Century Security and Intelligence will be housed in the Foreign Policy program at Brookings and Peter W. Singer will serve as its founding director. One of the world’s leading experts on modern warfare and author of the New York Times bestseller, Wired for War (Penguin, 2009), Singer has founded and managed two previous projects at Brookings, the Project on U.S. Relations with the Islamic World and the 21st Century Defense Initiative.

The center will encompass four key focal points of policy research on security and defense issues:

A Defense Policy team will be led by Michael O'Hanlon, one of the most influential and widely published defense scholars in the world, who also serves as director of research in the Foreign Policy program. He will be joined by other resident and nonresident scholars including Senior Fellow Vanda Felbab-Brown, a leading expert on counterinsurgency and illicit networks, and Senior Fellow Stephen Cohen, a pre-eminent expert in South Asian security issues. The team will also comprise the Federal Executive Fellows (FEFs), career officers from each military service and the Coast Guard, who spend a year in residence researching and writing on defense topics.

The new Intelligence Project, focusing on the nexus of intelligence and policymaking, will be led by Senior Fellow Bruce Riedel, a 30-year veteran of the intelligence community who also served on the National Security Council staff for three presidents. Riedel will be supported by a team of resident and nonresident scholars, including Paul Pillar and John McLaughlin, as well as career officers seconded from the intelligence community, and an advisory group of distinguished former senior intelligence officials and policymakers. The Intelligence Project is the first of its kind to be established at a major research institution.

The Arms Control Initiative will combine a focus on existing challenges of nuclear and conventional disarmament with new policy research on the Iranian and North Korean challenges to the nuclear nonproliferation regime. It is led by Senior Fellow Steven Pifer, a former special assistant to the president with substantial arms control experience. Robert Einhorn, currently the State Department’s special adviser for Nonproliferation and Arms Control, is expected to join later this spring as a Senior Fellow. The Initiative will also house a new program designed to cultivate and mentor the next generation of arms control and nonproliferation scholars.

The new Cybersecurity project will bring together the work of Visiting Fellow Ian Wallace, a former senior official at the British Ministry of Defence, who helped develop British cyber strategy, as well as its cyber-relationship with the United States, and a team of nonresident fellows, including Noah Shachtman, national security editor at Wired magazine, recently named one of the top 10 cybersecurity writers in the world; Ben Hammersley, a war journalist, noted technology writer, and author of the upcoming book Approaching the Future: 64 Things You Need to Know Now for Then; and Ralph Langner, the cybersecurity expert credited with “decoding” Stuxnet.

21CSI will focus on cutting-edge, in-depth, policy-relevant research and programming, designed to help shape the public policy debate and inform policy-makers. Bringing together a diverse group of experts and scholars, it will seek to promote collaboration across the various policy domains, in order to better understand the rapidly evolving, increasingly complex 21st century battlefield.

“We’ve created 21CSI in response to the enormous changes playing out in the global security environment,” said Martin Indyk, vice president and director of the Foreign Policy program at Brookings. “To address the diverse range of issues in this field, we’ve assembled a world-class team of researchers, who are some of the leading voices on the current challenges driving security policy today, as well as how we should think about tomorrow.”

]]>

]]>
Tue, 12 Mar 2013 16:40:00 -0400

Washington, D.C. — The Brookings Institution announced today the establishment of the Center for 21st Century Security and Intelligence (21CSI). The new center will be unique in addressing defense, cybersecurity, arms control and intelligence challenges in a comprehensive manner, seeking not just to explore key emerging security issues, but also how they cross traditional fields and domains.

“With the launch of the Center for 21st Century Security and Intelligence, Brookings will be at the forefront of research and public debate on the critical security issues of our time,” said Strobe Talbott, president of the Brookings Institution. "21CSI will bring together the extraordinary array of scholars already working on defense and security issues at Brookings, along with adding new experts in fields that range from cyber to intelligence policy."

The Center for 21st Century Security and Intelligence will be housed in the Foreign Policy program at Brookings and Peter W. Singer will serve as its founding director. One of the world’s leading experts on modern warfare and author of the New York Times bestseller, Wired for War (Penguin, 2009), Singer has founded and managed two previous projects at Brookings, the Project on U.S. Relations with the Islamic World and the 21st Century Defense Initiative.

The center will encompass four key focal points of policy research on security and defense issues:

A Defense Policy team will be led by Michael O'Hanlon, one of the most influential and widely published defense scholars in the world, who also serves as director of research in the Foreign Policy program. He will be joined by other resident and nonresident scholars including Senior Fellow Vanda Felbab-Brown, a leading expert on counterinsurgency and illicit networks, and Senior Fellow Stephen Cohen, a pre-eminent expert in South Asian security issues. The team will also comprise the Federal Executive Fellows (FEFs), career officers from each military service and the Coast Guard, who spend a year in residence researching and writing on defense topics.

The new Intelligence Project, focusing on the nexus of intelligence and policymaking, will be led by Senior Fellow Bruce Riedel, a 30-year veteran of the intelligence community who also served on the National Security Council staff for three presidents. Riedel will be supported by a team of resident and nonresident scholars, including Paul Pillar and John McLaughlin, as well as career officers seconded from the intelligence community, and an advisory group of distinguished former senior intelligence officials and policymakers. The Intelligence Project is the first of its kind to be established at a major research institution.

The Arms Control Initiative will combine a focus on existing challenges of nuclear and conventional disarmament with new policy research on the Iranian and North Korean challenges to the nuclear nonproliferation regime. It is led by Senior Fellow Steven Pifer, a former special assistant to the president with substantial arms control experience. Robert Einhorn, currently the State Department’s special adviser for Nonproliferation and Arms Control, is expected to join later this spring as a Senior Fellow. The Initiative will also house a new program designed to cultivate and mentor the next generation of arms control and nonproliferation scholars.

The new Cybersecurity project will bring together the work of Visiting Fellow Ian Wallace, a former senior official at the British Ministry of Defence, who helped develop British cyber strategy, as well as its cyber-relationship with the United States, and a team of nonresident fellows, including Noah Shachtman, national security editor at Wired magazine, recently named one of the top 10 cybersecurity writers in the world; Ben Hammersley, a war journalist, noted technology writer, and author of the upcoming book Approaching the Future: 64 Things You Need to Know Now for Then; and Ralph Langner, the cybersecurity expert credited with “decoding” Stuxnet.

21CSI will focus on cutting-edge, in-depth, policy-relevant research and programming, designed to help shape the public policy debate and inform policy-makers. Bringing together a diverse group of experts and scholars, it will seek to promote collaboration across the various policy domains, in order to better understand the rapidly evolving, increasingly complex 21st century battlefield.

“We’ve created 21CSI in response to the enormous changes playing out in the global security environment,” said Martin Indyk, vice president and director of the Foreign Policy program at Brookings. “To address the diverse range of issues in this field, we’ve assembled a world-class team of researchers, who are some of the leading voices on the current challenges driving security policy today, as well as how we should think about tomorrow.”

]]>

]]>
http://www.brookings.edu/research/opinions/2013/03/10-cyber-war-wallace?rssid=wallacei{79147FC2-D295-4351-B46C-EC1B61B15B05}http://webfeeds.brookings.edu/~/66358730/0/brookingsrss/experts/wallacei~Why-The-US-Is-Not-in-a-Cyber-WarWhy The U.S. Is Not in a Cyber War

For several weeks, it has been difficult to open a newspaper or watch a Sunday talk show without hearing about the advent of “cyber war.” The media has been filled with an avalanche of cyber threat-related stories: the hacking of leading newspapers, evidence of Chinese government involvement in intellectual property theft, and now, further distributed denial of service attacks against U.S. banks. All these events present real and serious national security challenges. But cyber-espionage, cyber-crime and the malicious disruption of critical infrastructure are not the same as war, and the distinction is important.

The idea that America is in the middle of a “cyber war” isn't just lazy and wrong. It's dangerous. The war analogy implies the requirement for military response to cyber intrusions. America genuinely needs effective civilian government cyber defense organizations with strong relationships with the private sector and the active engagement of an informed general public. Creating and even promoting the fear of “cyber war” makes that more difficult. Here’s why:

First, while the U.S fights its wars using the highly-trained professional within the U.S. Armed Forces, defending against cyber threats does not necessary require military expertise or prowess. True, most private individuals and corporations lack the knowledge and training needed to fight off attacks from elite Chinese, Iranian and Russian cyber “warriors.” As a result, there is and will continue to be a pressing need for highly qualified information security experts to help defend the larger U.S. cyber landscape. Nonetheless, there are relatively simple ways to make it more difficult for the bad guys without escalating to a “war” standing. In 2011, the Australian Defence Signals Directorate (their equivalent of the U.S. National Security Agency) showed that by taking just four key measures--“whitelisting” (i.e., allowing only authorized software to run on a computer or network), very rapid patching of applications and of operating system vulnerabilities, and restricting the number of people with administrator access to a system--85 percent of targeted intrusions can be prevented. These might appear more like prophylactic public health measures than warfare--and that’s the point. The United States does not need to declare “war” and call up the military to fend off cyber threats.

Authors

For several weeks, it has been difficult to open a newspaper or watch a Sunday talk show without hearing about the advent of “cyber war.” The media has been filled with an avalanche of cyber threat-related stories: the hacking of leading newspapers, evidence of Chinese government involvement in intellectual property theft, and now, further distributed denial of service attacks against U.S. banks. All these events present real and serious national security challenges. But cyber-espionage, cyber-crime and the malicious disruption of critical infrastructure are not the same as war, and the distinction is important.

The idea that America is in the middle of a “cyber war” isn't just lazy and wrong. It's dangerous. The war analogy implies the requirement for military response to cyber intrusions. America genuinely needs effective civilian government cyber defense organizations with strong relationships with the private sector and the active engagement of an informed general public. Creating and even promoting the fear of “cyber war” makes that more difficult. Here’s why:

First, while the U.S fights its wars using the highly-trained professional within the U.S. Armed Forces, defending against cyber threats does not necessary require military expertise or prowess. True, most private individuals and corporations lack the knowledge and training needed to fight off attacks from elite Chinese, Iranian and Russian cyber “warriors.” As a result, there is and will continue to be a pressing need for highly qualified information security experts to help defend the larger U.S. cyber landscape. Nonetheless, there are relatively simple ways to make it more difficult for the bad guys without escalating to a “war” standing. In 2011, the Australian Defence Signals Directorate (their equivalent of the U.S. National Security Agency) showed that by taking just four key measures--“whitelisting” (i.e., allowing only authorized software to run on a computer or network), very rapid patching of applications and of operating system vulnerabilities, and restricting the number of people with administrator access to a system--85 percent of targeted intrusions can be prevented. These might appear more like prophylactic public health measures than warfare--and that’s the point. The United States does not need to declare “war” and call up the military to fend off cyber threats.